Root users can currently kill the com.google.santa.daemon process. It will be immediately restarted by sysextd but this opens a very brief window where protection is lost. Hooking ES_EVENT_TYPE_AUTH_SIGNAL and blocking all signals to the santad process prevents this and it doesn't interfere with upgrades.
Root users can currently kill the
com.google.santa.daemon
process. It will be immediately restarted by sysextd but this opens a very brief window where protection is lost. HookingES_EVENT_TYPE_AUTH_SIGNAL
and blocking all signals to the santad process prevents this and it doesn't interfere with upgrades.